Tales from the Trenches: Host Enumeration

Category

CTU Research

May 10, 2016By Counter Threat Unit™ (CTU) Research Team

Once inside a network, threat actors need to find what they are looking for.

The search typically involves enumerating hosts within the network to find available hosts and determine their purpose. Host enumeration can be achieved in many ways, with the threat actors using their tools or possibly using tools that are already on the compromised systems. Regardless of method, there will be visible signs either on the host they are enumerating from (typically their initial vector into the network) or in the network traffic.

Endpoint detection and response technologies like Red Cloak give network defenders the visibility to detect host enumeration activities. SecureWorks® Counter Threat Unit™ (CTU) researchers use Red Cloak to monitor both tool execution on the host and network flow traffic to and from a host.

Example 1 – NetBIOS scanning

Red Cloak captured information about a process named "sharescan.exe" scanning the network (see Figure 1). Inspection of the file information revealed it was a tool to scan for the NetBIOS Name Service running on other computers to enumerate information such as hostname and domain for a host. The placement of this tool in the RECYCLER directory suggests that it was brought into the environment by the adversary, who used the output to decide which host to move to next to get closer to their actions on objective.

The ping sweep allows the threat actor to check which hosts in the network are available for further probing. In this example, the threat actor did not scan sequentially, so it is likely they used other information to identify potential hosts. Using Red Cloak’s ability to examine the parent process for these ping commands (see Figure 3), CTU™ researchers discovered that the threat actor launched a command prompt and used built-in Windows commands to enumerate hosts on the network. They used the "net view" command to see the shares from other hosts in the network and "arp -a" to view the Address Resolution Protocol (ARP) Cache to determine which other hosts this system previously talked to on the network.

The threat actors used the ping command on the hosts from the ARP Cache to verify the availability of certain hosts. Armed with this information, they continued scanning the network and working toward their final objective.

Example 3 – Custom tools for enumeration and host survey

In this final example, a threat actor first used a script to enumerate information about the initially compromised host. Figure 4 shows the tool collecting local information such as web history, Windows version, local users, and patch levels.

Figure 4. The threat actor used a script to survey a compromised host. (Source: SecureWorks)

After analyzing the local host, the threat actor then used a customized tool disguised as svchost.exe to enumerate other hosts in the network. Figure 5 displays the netflows showing the threat actor scanning hosts for a variety of common services (80/HTTP, 22/SSH, 443/HTTPS, 139/NetBIOS, 445/SMB, 3389/RDP).

By looking at a specific instance of this process, CTU researchers discovered that it was running from the C:\.RECYCLER\ directory and that it was not the legitimate Windows svchost process (see Figure 7).

Red Cloak provides additional details about this specific svchost.exe file, including the basic file metadata, VirusTotal information, the results of CTU researcher analysis, how common the file is, and where else it has been observed within the network. As shown in Figure 8, this file was marked as malicious due to being flagged by custom signatures. This information can be a starting point for steering incident response in the proper direction to find out more about the threat actor.

Threat actors can rarely enter a network via a host of interest; they typically need to enumerate the hosts on the network to find accessible systems. Endpoint security solutions like Red Cloak minimizes impact by detecting activities such as host enumeration to catch threat actors before they can achieve their actions on objective.